extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Put this puppy to bed for the night

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5520 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-14 04:06:32 +00:00
parent 0f1892ba28
commit ac9fe46768
4 changed files with 256 additions and 233 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

197
New/Shorewall/Chains.pm
View File

@ -15,11 +15,19 @@ our @EXPORT = qw( add_rule
dynamic_fwd
dynamic_in
dynamic_out
cynamic_chains
dynamic_chains
dnat_chain
snat_chain
ecn_chain
first_chains
new_chain
ensure_chain
ensure_filter_chain
new_standard_chain
new_builtin_chain
initialize_chain_table
dump_chain_table
finish_section
@policy_chains
%chain_table
@ -224,4 +232,191 @@ sub first_chains( $ ) #$1 = interface
[ $c . '_fwd', $c . '_in' ];
}
#
# Create a new chain and return a reference to it.
#
sub new_chain($$)
{
my ($table, $chain) = @_;
my %ch;
my @rules;
$ch{name} = $chain;
$ch{log} = 1 if $env{LOGRULENUMBERS};
$ch{rules} = \@rules;
$ch{table} = $table;
$chain_table{$table}{$chain} = \%ch;
\%ch;
}
#
# Create a chain if it doesn't exist already
#
sub ensure_chain($$)
{
my ($table, $chain) = @_;
my $ref = $chain_table{$table}{$chain};
return $ref if $ref;
new_chain $table, $chain;
}
sub finish_chain_section( $$ );
#
# Create a filter chain if necessary. Optionally populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
#
sub ensure_filter_chain( $$ )
{
my ($chain, $populate) = @_;
my $chainref = $filter_table->{$chain};
$chainref = new_chain 'filter' , $chain unless $chainref;
if ( $populate and ! $chainref->{referenced} ) {
if ( $section eq 'NEW' or $section eq 'DONE' ) {
finish_chain_section $chainref , 'ESTABLISHED,RELATED';
} elsif ( $section eq 'ESTABLISHED' ) {
finish_chain_section $chainref , 'ESTABLISHED';
}
}
$chainref->{referenced} = 1;
$chainref;
}
#
# Add a builtin chain
#
sub new_builtin_chain($$$)
{
my $chainref = new_chain $_[0],$_[1];
$chainref->{referenced} = 1;
$chainref->{policy} = $_[2];
$chainref->{builtin} = 1;
}
sub new_standard_chain($) {
my $chainref = new_chain 'filter' ,$_[0];
$chainref->{referenced} = 1;
$chainref;
}
#
# Add all builtin chains to the chain table
#
#
sub initialize_chain_table()
{
for my $chain qw/OUTPUT PREROUTING/ {
new_builtin_chain 'raw', $chain, 'ACCEPT';
}
for my $chain qw/INPUT OUTPUT FORWARD/ {
new_builtin_chain 'filter', $chain, 'DROP';
}
for my $chain qw/PREROUTING POSTROUTING OUTPUT/ {
new_builtin_chain 'nat', $chain, 'ACCEPT';
}
for my $chain qw/PREROUTING INPUT FORWARD OUTPUT POSTROUTING/ {
new_builtin_chain 'mangle', $chain, 'ACCEPT';
}
if ( $capabilities{MANGLE_FORWARD} ) {
for my $chain qw/ FORWARD POSTROUTING / {
new_builtin_chain 'mangle', $chain, 'ACCEPT';
}
}
}
#
# Dump the contents of the Chain Table
#
sub dump_chain_table()
{
print "\n";
for my $table qw/filter nat mangle/ {
print "Table: $table\n";
for my $chain ( sort keys %{$chain_table{$table}} ) {
my $chainref = $chain_table{$table}{$chain};
print " Chain $chain:\n";
if ( $chainref->{is_policy} ) {
print " This is a policy chain\n";
my $val = $chainref->{is_optional} ? 'Yes' : 'No';
print " Optional: $val\n";
print " Log Level: $chainref->{loglevel}\n" if $chainref->{loglevel};
print " Syn Parms: $chainref->{synparams}\n" if $chainref->{synparams};
print " Default: $chainref->{default}\n" if $chainref->{default};
}
print " Policy chain: $chainref->{policychain}{name}\n" if $chainref->{policychain} ;
print " Policy: $chainref->{policy}\n" if $chainref->{policy};
print " Referenced\n" if $chainref->{referenced};
if ( @{$chainref->{rules}} ) {
print " Rules:\n";
for my $rule ( @{$chainref->{rules}} ) {
print " $rule\n";
}
}
}
}
}
#
# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain
#
sub finish_chain_section ($$) {
my ($chainref, $state ) = @_;
my $chain = $chainref->{name};
add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT};
if ($sections{RELATED} ) {
if ( $chainref->{is_policy} ) {
if ( $chainref->{synparams} ) {
my $synchainref = ensure_chain 'filter', "\@$chain";
if ( $section eq 'DONE' ) {
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE)$/ ) {
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
}
} else {
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
}
}
} else {
my $policychainref = $chainref->{policychain};
if ( $policychainref->{synparams} ) {
my $synchainref = ensure_chain 'filter', "\@$policychainref->{name}";
add_rule $synchainref, "-p tcp --syn -j $synchainref->{name}";
}
}
}
}
#
# Do section-end processing
#
sub finish_section ( $ ) {
my $sections = $_[0];
for my $zone ( @zones ) {
for my $zone1 ( @zones ) {
my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"};
if ( $chainref->{referenced} ) {
finish_chain_section $chainref, $sections;
}
}
}
}
1;

31
New/Shorewall/Common.pm
View File

@ -1,9 +1,11 @@
package Shorewall::Common;
require Exporter;
use File::Temp qw/ tempfile tempdir /;
our @ISA = qw(Exporter);
our @EXPORT = qw(warning_message
fatal_error
create_temp_object
emit
emit_unindented
save_progress_message
@ -15,9 +17,9 @@ our @EXPORT = qw(warning_message
pop_indent
copy
copy1
append_file
$line $object $lastlineblank);
$line
$lastlineblank);
our @EXPORT_OK = ();
our @VERSION = 1.00;
@ -45,6 +47,18 @@ sub fatal_error
die;
}
sub create_temp_object() {
my $tempfile;
eval {
( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
};
fatal_error "$@" if $@;
return $tempfile;
}
#
# Write the argument to the object file (if any) with the current indentation.
#
@ -127,6 +141,7 @@ sub save_progress_message_short( $ ) {
# Functions for copying files into the object
#
sub copy( $ ) {
if ( $object ) {
my $file = $_[0];
open IF , $file or fatal_error "Unable to open $file: $!";
@ -137,9 +152,11 @@ sub copy( $ ) {
}
close IF;
}
}
sub copy1( $ ) {
if ( $object ) {
my $file = $_[0];
open IF , $file or fatal_error "Unable to open $file: $!";
@ -159,16 +176,6 @@ sub copy1( $ ) {
}
close IF;
}
sub append_file( $ ) {
my $user_exit = find_file $_[0];
unless ( $user_exit =~ /$env{SHAREDIR}/ ) {
if ( -f $user_exit ) {
save_progress_message "Processing $user_exit ...";
copy1 $user_exit;
}
}
}

21
New/Shorewall/Config.pm
View File

@ -5,14 +5,14 @@ use warnings;
use Shorewall::Common;
our @ISA = qw(Exporter);
our @EXPORT = qw(find_file do_initialize report_capabilities propagateconfig %config %env %capabilities );
our @EXPORT = qw(find_file do_initialize report_capabilities propagateconfig append_file %config %env %capabilities );
our @EXPORT_OK = ();
our @VERSION = 1.00;
#
# From shorewall.conf file
#
my %config =
our %config =
( STARTUP_ENABLED => undef,
VERBOSITY => undef,
#
@ -102,7 +102,7 @@ my @propagateenv = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /;
# Misc Globals
#
my %env = ( SHAREDIR => '/usr/share/shorewall' ,
our %env = ( SHAREDIR => '/usr/share/shorewall' ,
CONFDIR => '/etc/shorewall',
LOGPARMS => '',
VERSION => '3.9.0',
@ -111,7 +111,7 @@ my %env = ( SHAREDIR => '/usr/share/shorewall' ,
#
# From parsing the capabilities file
#
my %capabilities =
our %capabilities =
( NAT_ENABLED => undef,
MANGLE_ENABLED => undef,
MULTIPORT => undef,
@ -491,4 +491,15 @@ sub propagateconfig() {
}
}
1;
sub append_file( $ ) {
my $user_exit = find_file $_[0];
unless ( $user_exit =~ /$env{SHAREDIR}/ ) {
if ( -f $user_exit ) {
save_progress_message "Processing $user_exit ...";
copy1 $user_exit;
}
}
}
;

194
New/compiler.pl
View File

@ -134,146 +134,6 @@ my %default_actions = ( DROP => 'none' ,
QUEUE => 'none' );
#
# Create a new chain and return a reference to it.
#
sub new_chain($$)
{
my ($table, $chain) = @_;
my %ch;
my @rules;
$ch{name} = $chain;
$ch{log} = 1 if $env{LOGRULENUMBERS};
$ch{rules} = \@rules;
$ch{table} = $table;
$chain_table{$table}{$chain} = \%ch;
\%ch;
}
#
# Create a chain if it doesn't exist already
#
sub ensure_chain($$)
{
my ($table, $chain) = @_;
my $ref = $chain_table{$table}{$chain};
return $ref if $ref;
new_chain $table, $chain;
}
sub finish_chain_section( $$ );
#
# Create a filter chain if necessary. Optionally populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
#
sub ensure_filter_chain( $$ )
{
my ($chain, $populate) = @_;
my $chainref = $filter_table->{$chain};
$chainref = new_chain 'filter' , $chain unless $chainref;
if ( $populate and ! $chainref->{referenced} ) {
if ( $section eq 'NEW' or $section eq 'DONE' ) {
finish_chain_section $chainref , 'ESTABLISHED,RELATED';
} elsif ( $section eq 'ESTABLISHED' ) {
finish_chain_section $chainref , 'ESTABLISHED';
}
}
$chainref->{referenced} = 1;
$chainref;
}
#
# Add a builtin chain
#
sub new_builtin_chain($$$)
{
my $chainref = new_chain $_[0],$_[1];
$chainref->{referenced} = 1;
$chainref->{policy} = $_[2];
$chainref->{builtin} = 1;
}
sub new_standard_chain($) {
my $chainref = new_chain 'filter' ,$_[0];
$chainref->{referenced} = 1;
$chainref;
}
#
# Add all builtin chains to the chain table
#
#
sub initialize_chain_table()
{
for my $chain qw/OUTPUT PREROUTING/ {
new_builtin_chain 'raw', $chain, 'ACCEPT';
}
for my $chain qw/INPUT OUTPUT FORWARD/ {
new_builtin_chain 'filter', $chain, 'DROP';
}
for my $chain qw/PREROUTING POSTROUTING OUTPUT/ {
new_builtin_chain 'nat', $chain, 'ACCEPT';
}
for my $chain qw/PREROUTING INPUT FORWARD OUTPUT POSTROUTING/ {
new_builtin_chain 'mangle', $chain, 'ACCEPT';
}
if ( $capabilities{MANGLE_FORWARD} ) {
for my $chain qw/ FORWARD POSTROUTING / {
new_builtin_chain 'mangle', $chain, 'ACCEPT';
}
}
}
#
# Dump the contents of the Chain Table
#
sub dump_chain_table()
{
print "\n";
for my $table qw/filter nat mangle/ {
print "Table: $table\n";
for my $chain ( sort keys %{$chain_table{$table}} ) {
my $chainref = $chain_table{$table}{$chain};
print " Chain $chain:\n";
if ( $chainref->{is_policy} ) {
print " This is a policy chain\n";
my $val = $chainref->{is_optional} ? 'Yes' : 'No';
print " Optional: $val\n";
print " Log Level: $chainref->{loglevel}\n" if $chainref->{loglevel};
print " Syn Parms: $chainref->{synparams}\n" if $chainref->{synparams};
print " Default: $chainref->{default}\n" if $chainref->{default};
}
print " Policy chain: $chainref->{policychain}{name}\n" if $chainref->{policychain} ;
print " Policy: $chainref->{policy}\n" if $chainref->{policy};
print " Referenced\n" if $chainref->{referenced};
if ( @{$chainref->{rules}} ) {
print " Rules:\n";
for my $rule ( @{$chainref->{rules}} ) {
print " $rule\n";
}
}
}
}
}
#
# This function determines the logging for a subordinate action or a rule within a subordinate action
#
@ -2378,52 +2238,6 @@ sub setup_mac_lists( $ ) {
}
}
#
# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain
#
sub finish_chain_section ($$) {
my ($chainref, $state ) = @_;
my $chain = $chainref->{name};
add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT};
if ($sections{RELATED} ) {
if ( $chainref->{is_policy} ) {
if ( $chainref->{synparams} ) {
my $synchainref = ensure_chain 'filter', "\@$chain";
if ( $section eq 'DONE' ) {
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE)$/ ) {
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
}
} else {
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
}
}
} else {
my $policychainref = $chainref->{policychain};
if ( $policychainref->{synparams} ) {
my $synchainref = ensure_chain 'filter', "\@$policychainref->{name}";
add_rule $synchainref, "-p tcp --syn -j $synchainref->{name}";
}
}
}
}
#
# Do section-end processing
#
sub finish_section ( $ ) {
my $sections = $_[0];
for my $zone ( @zones ) {
for my $zone1 ( @zones ) {
my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"};
if ( $chainref->{referenced} ) {
finish_chain_section $chainref, $sections;
}
}
}
}
#
# Macro and action files can have shell variables embedded. This function expands them from %ENV.
@ -4600,7 +4414,7 @@ sub generate_script_2 () {
open MF, $mf or fatal_error "Unable to open $mf: $!";
while ( $line = <MF> ) { print $object $line if $line =~ /^\s*loadmodule\b/; }
while ( $line = <MF> ) { emit_unindented $line if $line =~ /^\s*loadmodule\b/; }
close MF;
@ -4678,11 +4492,7 @@ sub compile_firewall( $ ) {
fatal_error "$@" if $@;
eval {
( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
};
fatal_error "$@" if $@;
$tempfile = create_temp_object;
generate_script_1;
}